Secure Offsite Backups for Synology NAS

I have a solid backup strategy in place where my 2-bay Synology NAS is the central data store. The HDDs in the NAS are setup in a JBOD configuration. I don’t need a RAID so this way I am more flexible in which data is stored where.

One HDD is dedicated as a backup drive. Every computer is backed up via Time Machine on this drive. The other HDD is used for network shares. Important documents, pictures, whatever are stored on a dedicated documents share on that HDD. This share is also backed up daily onto the backup drive.

Once per week I connect a USB drive to the NAS and create a backup of the backup drive.

With this strategy I feel quite confident that hardware failures or human failures will not cause any data loss. The only scenario missing so far is fire / theft / water damage. Anything that will affect all HDDs in my household at the same time.

This is where offsite backups come into place. The Synology NAS has different options for creating offsite backups. You can use Amazon S3, Amazon Glacier, Strato HiDrive or any server running a rsync daemon. All of these options have the problem that backups are not being encrypted before they are sent to the destination. I don’t want to store my data in unencrypted form anywhere on the internet.

Luckily it is possible to create encrypted shared folders on the NAS. Synology uses ecryptfs to encrypt files stored on this folder. So I am using an encrypted folder on the backup drive to store the unencrypted documents folder from the first HDD. The files are encrypted using a passphrase. Make sure that you use a secure und sufficiently long passphrase. Also make sure that you do not loose this passphrase. Without the passphrase you will not be able to decrypt your files.

When backing up the encrypted folder only the already encrypted files are sent to the destination server. Filenames and folder names are also encrypted so that the data is completely secure as long as the passphrase is long enough.

I already have a virtual server hosted by a reliable company which has enough diskspace and gets backed up daily. So I decided to store my offsite backup on this server. This is done via rsync. Unfortunately Synology does not support rsync over SSH so you need to setup an rsync daemon. The following steps describe how to setup this daemon in a secure way on Ubuntu Linux.

First you need to install rsync:

sudo aptitude install rsync

Now create the configuration file /etc/rsyncd.conf with the following contents:

Replace SHARE_NAME with any symbolic name you like. You need to specify the share name when setting up the remote backup on the Synology NAS. The SHARE_PATH should point to a directory on the server where you want to store the backup. Uid and Gid should point to a user account that has write privileges to the destination directory. LOGIN_NAME is only used for authenticating against the rsync daemon. You don’t need to specify a system user.

The login credentials are specified in the file /etc/rsyncd.secrets. Create this file and add the LOGIN_NAME specified in /etc/rsyncd.conf:

LOGIN_NAME:PASSWORD

Again, use a long and secure password.

Please note that rsync uses unencrypted file transfers. Never use the rsync daemon to transfer unencrypted private files over the internet.

Now you need to activate the rsync daemon. First set RSYNC_ENABLE=true in /etc/default/rsync. Now you can start the daemon:

sudo /etc/init.d/rsync start

I recommend preventing brute force attacks on the rsync daemon via fail2ban. Please see my article Securing SSH server with fail2ban on how to setup fail2ban. You can use the following ruleset to catch all login attempts:

failregex = unknownmodule.*\(<HOST>\)
authfailedonmodule.*\(<HOST>\)

Every IP address with 4 failed login attempts within 10 minutes will be blocked for a couple of hours. Together with a secure password this will effectively prevent break in attempts.

The rsync log files can become quite large. You therefore need to setup a logrotate job. Create the file /etc/logrotate.d/rsync with following contents:

/var/log/rsync.log {
dailyrotate4compressnotifemptymissingok
}

Everything is now setup on the server side. You only need to create the backup job on the Synology NAS and don’t forget to select the encrypted folder as the source folder.